Even with many layers of server security, if a WordPress install is not constantly updated and your directories do not have the proper permissions set your WordPress site is susceptible to hack attacks which, if successful, may result in your website hosting phishing pages, exploits or sending SPAM. Provided below are many tips on helping you secure your WordPress install.
When it comes to security plugins, we are currently a fan of the WordFence plugin (http://www.wordfence.com) at the moment as it monitors your WordPress files for changes and searches for foreign files. It is available in both a free and premium version with the free version being very featured. Be sure to perform a backup of your account first before first using a plugin such as WordFence. It also runs a global protection measure which is very pro-active in defending against attacks. If one WordPress site running Wordfence is attacked, the attacker is blocked and all other sites also running Wordfence block that attacker.
If you you do not have clients in areas such as Hong Kong, Russia, Nigera, China, Brazil, North Korea, Turkey, Romania, Ukraine, Iraq, Iran, Afghanistan and other hi-rate hacking countries you may want to consider using an htaccess file which you may easily use to block entire countries with your account with us which you can generate for free here:
http://www.ip2location.com/blockvisitorsbycountry.aspx
Once created upload to your public_html folder or, if you have an existing .htaccess file there, append to your existing content.
We also recommend using our bad bot blocker which will help stop some of the bots from sniffing out your WordPress install(s) available in your client area:
https://my.ultrawebhosting.com/dl.php?type=d&id=1
Hide your WordPress. Plugins which are great to help avoid bots from hitting your WordPress altogether are HideMyWP and iThemes Security (Free). For HideMyWP their description of the plugin: “Hide My WP control access to PHP files. It protects your site from almost 90% of SQL-Injection and XSS attacks caused by direct access to PHP files. This means you can install unsafe plugins without worry about security. You know hackers, spammers and bots all love WordPress, too with Hide My WP they can’t recognize (or access to) WordPress and simply ignore you!”
http://codecanyon.net/item/hide-my-wp-no-one-can-know-you-use-wordpress/4177158
iThemes Security is available via your plugin manager and the add new area.
Auto-update. If you are not familiar with WordPress and can keep it up to date it may be a good idea to enable auto-updates to your website. The following article goes over configuring this for your installation:
http://codex.wordpress.org/Configuring_Automatic_Background_Updates
The following tips are more impacting and require special consideration:
Every WordPress site contains a file called wp-config.php. Along with the database details, this file also contains many other configuration parameters which can lead to a much better security of your WordPress Site.
Change Database Prefix ($table_prefix)
The WordPress database consists of many tables to store posts, links, comments, users etc. Now these tables by default have standard names like wp_users, wp_options, wp_posts etc. Now a hacker knows that your user details are stored in the table wp_users, and will try and exploit this. We can however prevent the hacker from guessing the name of the table. To do this, while installing WordPress, we need to change the setting for $table_prefix.
In your wp-config file there will be a line:
$table_prefix = ‘wp_';
You need to change it to something random like:
$table_prefix = ‘axcsr_';
This will cause the tables in the database to become axcsr_users, axcsr_posts etc, in turn making it harder for the hacker to guess.
Disable Editing of Theme/Plugin files
In the WordPress Dashboard, there is an option to edit your theme/plugin files. This option is not to be used by normal users under any circumstance. However, in the hands of a hacker it can be extremely dangerous. For example, suppose a hacker is able to login to your site using some exploit. One of easiest mechanisms for them to add malware to your site, will be by editing existing files. By disabling the option to edit these files, you take away a valuable tool from hackers. It can be done by adding the following line to your wp-config.php file:
define(‘DISALLOW_FILE_EDIT’,true);
Disallowing user to install plugins, themes or doing updates.
Disallowing a user to edit plugin/theme files will only provide one level of security. However, this does not prevent the hacker from adding a new plugin or theme. Once the Admin Panel is compromised, the hacker can also install a rogue theme or a rogue plugin. If you do not install plugins on a regular basis, we suggest, that you disable this option altogether. This can be done by using the option:
define(‘DISALLOW_FILE_MODS’,true);
In such cases, a plugin/theme can however be installed by directly copying the plugin to the site using FTP.
Forcing use of FTP for all uploads, upgrades and plugin installation.
The next idea can be quite restrictive for many sites. An alternative in such cases could be to force users to provide FTP details whenever uploading a file, or installing a plugin/theme. Hence, even if a hacker is able to infiltrate your Admin Panel, they will not be able to install a new script without knowing your secret FTP credentials. To do this, add the following line to your wp-config.php:
define(‘FS_METHOD’, ‘ftpext’);
If FTPS is supported then add the following line to the config file:
define(‘FTP_SSL’, true);
If your webhost or server supports SFTP you should use the following more secure option instead:
define(‘FS_METHOD’, ‘ssh2′);
Change Security Keys
When a user logs into the Admin panel, WordPress generates cookies to keep the status of the users. To ensure that the cookies are safe and not guessable, it adds a salt while generating the cookie. This salt should ideally be long and difficult to guess. The salt is picked from 8 parameters in wp-config.php and look something like this:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);
The above should be replaced with a new set upon installation, and WordPress provides and excellent tool to generate these randomly. You can get the same from: https://api.wordpress.org/secret-key/1.1/salt/
Also, in case your site gets hacked, it is highly advisable to change these keys with fresh ones. This will force all users to login again, and hence the hacker cannot use old cookies.
Move wp-config.php out of the core WordPress folder.
Typically wp-config.php is placed in the core WP folder along with other standard files like wp-settings.php, wp-login.php etc. WordPress also supports a more secure option, where in the wp-config.php can reside on the folder outside your wordpress installation. For example if your wordpress is installed in the folder /public_html/ folder, instead of having the file being present as /public_html/wp-config.php, you should store it as /wp-config.php. WordPress will intelligently pick up the configuration from this instead.
A good WordPress Backup solution will identify that the file is present in the outer folder, and will still back it up.
File Permissions of wp-config.php
Change the permissions of the file, so that only your webserver can access it. Further this file should not be modifiable/writable by anybody. Hence the preferred permission here would be to use: 400 or 440 depending on your setup. Permissions can typically be changed by using FTP or cPanel.
Securing the htaccess file
Apache uses htaccess to prevent unauthorized access to certain parts of the site. Since wp-config.php should never be accessed directly by anybody, and since it contains the critical database details, we should block it from htaccess file too. This can be done by adding the following lines to your htaccess file:
order allow,deny
deny from all
- 376 Users Found This Useful